Android Bitcoin apps vulnerability disclosed, updates coming soon

Bitcoin has just issued an announcement to users of several Android Bitcoin apps regarding a security issue found on the Android platform itself. The culprit is Android's own random number generator which has been discovered to contain critical weaknesses that would make some Bitcoin wallets vulnerable to theft.

Bitcoin is a virtual currency that makes use of cryptography to create and transfer bitcoins. Users make use of digital wallets to store bitcoin addresses from which bitcoins are received or sent. These bitcoin addresses are actually cryptographic keys generated and managed by a local app or by an online service.

Because of the security issue with Android's random number generator, wallets generated by an Android app could be considered insecure. Bitcoin has mentioned Bitcoin Wallet, blockchain.info, Bitcoin Spinner, and Mycelium Wallet as examples of such apps although the list is not exhaustive. Bitcoin details re-securing wallets using key rotation, which basically consists of marking old addresses as insecure and generating new ones.

Updates for the mentioned apps are being prepared and users are recommended to follow the key rotation procedures once the updates have been rolled out. While most Android app users will have to do it manually, users of the Bitcoin Wallet app by Andreas Schildbach will have it done automatically for them. Android apps that do not generate addresses on the device, such as Coinbase or Mt Gox, are not affected by the vulnerability.